Resource Center

Health Data Breaches

Question: Are healthcare providers liable under the FCRA for patient health data breaches?

Response & Analysis:

Courts are starting to say no. As data breaches continue to compromise private consumer information at increasing rates, plaintiffs’ attorneys are developing creative methods and legal theories to hold healthcare providers liable when patient information is stolen. In a recent string of cases surfacing across the nation, patients are filing class-action lawsuits against healthcare providers under the Fair Credit Reporting Act (FCRA) when systems containing patient data are breached. The FCRA provides patients with some protections over their medical information, including a requirement that patients provide consent before their medical information can be disclosed.

However, the FCRA’s limitations and requirements only apply to a consumer reporting agency assembling information for the purpose of furnishing it to third parties. Under the FCRA, a “consumer reporting agency” is any person or entity that regularly assembles information about consumers and furnishes it to third parties for a specified purpose such as for employment or insurance.

Although lawsuits attacking healthcare data breaches under this theory have recently increased in popularity, it is unclear whether these suits will garner much success since healthcare providers do not fit the traditional definition of a “consumer reporting agency” under the FCRA. Nonetheless, some providers are choosing to settle the lawsuits early in the process in order to avoid a drawn-out litigation battle and the potential for increased liability.

In a lawsuit involving a major university medical center, a group of current and former patients filed a class action claiming that the university allowed unauthorized parties to access confidential patient records—including confidential personal health information—without having adequate security measures in place and without the patients’ knowledge or consent. The suit arose from a breach of a third-party’s information system that the university had contracted with to store patient information off-site. The plaintiffs alleged that the university violated its obligations as a consumer reporting agency under the FCRA by allowing the plaintiffs’ personal health information to be misused and intentionally disclosed to third parties for profit. The university promptly settled the lawsuit for over $100,000.

In a similar suit filed against a large hospital organization, five former patients are suing a group of hospitals on behalf of any current or former patient who may have been affected by an alleged data breach that compromised roughly 4.5 million patients’ personal information. The plaintiffs claim the hospitals are “consumer reporting agencies” under the FCRA and thus violated the FCRA when they failed to properly secure and encrypt patient information. The plaintiffs allege that the FCRA protects their medical information and restricts its dissemination to limited instances, and the hospitals failed to adopt and maintain procedures designed to protect and limit the dissemination of such information as required by the FCRA.

Most notably, in a case against a leading health system, the U.S. District Court for the Northern District of Illinois dismissed the plaintiffs’ class action because the court did not consider the healthcare provider to be a “consumer reporting agency” under the FCRA. The plaintiffs argued that the network of affiliated doctors and hospitals was a consumer reporting agency that regularly furnished personal patient information to third parties, and thus violated the FCRA when it failed to properly secure the information or to obtain patient consent prior to providing third parties with access to the information.

The alleged FCRA violation arose from an incident in which four desktop computers containing patient information were stolen from one of the health system’s offices. The court dismissed the claims, finding that the health system could not be considered a consumer reporting agency under the FCRA because it does not regularly engage in the practice of assembling information on consumers for the purpose of furnishing consumer reports to third parties. Further, the court stated that an allegation that computers containing personal information were stolen is not sufficient to support a finding that the health system furnished such information to a third party.

Although it may prove to be difficult for plaintiffs to succeed under the FCRA when their medical information is compromised, they can still bring actions under other state and federal statutes. Additionally, regardless of what statute is alleged to have been violated, defending against these lawsuits can be a very long and expensive endeavor. Thus, hospitals and other healthcare providers would be well-advised to properly store and secure patient information, making sure to encrypt all patient data and only allowing authorized personnel to access the systems containing such information.

What Our Clients Are Saying

Everyone I have contacted at Certiphi has been a complete pleasure to work with. The Certiphi customer service rivals every other customer service I come in contact with. Everyone is always so professional, yet super nice! Thanks for all you do and keep up the amazing work and impeccable service that you provide!!!

Human Resources Assistant

Large Medical Staffing Firm

Thank you so much! You have such an incredible reputation within our office; I think we would all say your customer service levels are continually at about 125%!

Human Resources Generalist

Medical and Surgical Hospital

The response time has been very quick. The turnaround times are great. I love your systems and that I can go in and look at the process as its going.

Human Resources Manager

Medical Staffing Agency

It’s such a great customer service that you provide and I’m happy to tell that to anyone.

Pastoral Care Associate

Large Children's Hospital

Working with Certiphi has been such a pleasure. Certiphi has taught me so much, not just about backgrounds but also the meaning of great business.

Human Resources Specialist

Large Medical Staffing Firm

We flew through our NCQA licensure review. We very much appreciate Certiphi's help in earning a 100% score for the files!